State's cyber safety net must be strengthened

By Eli Ben Meir

February 24, 2017

Photo: David Pike, MBR / Associated Press

In this photo taken March 10, 2015, George Zenner, team captain of the Marine Military Academy CyberPatriot team, practices his security skills before the competition this week in Harlingen, Texas. (AP Photo/Valley Morning Star, David Pike)

In this photo taken March 10, 2015, George Zenner, team captain of...

When the Texas Department of Public Safety released its 2017 Public Safety Threat overview last month, it was encouraging to see that the annual assessment flagged cyber threats as "a significant area of concern". Quite rightly, the report highlights the "potential consequences" to the state's critical infrastructure in the event of a successful hack. After all, hackers and cyber enemies are becoming increasingly ambitious and ever more sophisticated.

Texas already has plenty of first-hand experience of cyber assaults. Most seriously, back in 2011, a data breach exposed 3.5 million records, including names, addresses and Social Security numbers. More recently, a Texas school district reported last year that cyber criminals hacked into their records on multiple occasions across 20 campuses. Meanwhile, fraudulent online payments recently cost the El Paso city government in excess of $3 million. Reports also indicate that Texas businesses suffer many more cyber attacks than are actually reported to authorities.

Not that Texas is experiencing anything unique. Cyber combat is becoming the weapon of choice for those seeking to wreak havoc. The alleged Russian hack of the Democratic National Committee captured global headlines. But it isn't just high-profile institutions, or even finances and personal data which are at risk. Cyber crime threatens chaos, with energy networks an increasingly popular target.

Just over a year ago, almost one quarter million people in the Ivano-Frankivsk region of Western Ukraine were left without electricity after hackers took control of a local power network. Last year, a sophisticated Iranian hack almost succeeded in obtaining control of the flood gates at a New York dam. And just last month, Vermont's largest municipal utility was said to be compromised by a Russian intrusion. In a survey last year, workers at more than 75 percent of U.S. companies in the oil, natural gas and electricity industries reported a "successful" hack of their systems in the previous twelve months.

All of this is profoundly concerning for Texas, given the prominence of the energy sector and the state's reliance on its' independent stand-alone power grid. As such, the annual DPS assessment represents a welcome, healthy awareness of the dangers, an important first step towards safeguarding the state's digital well-being.

But there is plenty more to be done. The State House Committee heard expert evidence last year indicating that the average government entity devotes between just 1 and 2 percent of its budget to information technology. An increase would clearly be welcome. However, cyber safety is not merely a question of increased finance. Because digital threats are so varied, the answer cannot be found in isolated cutting edge technological tools, however expensive they may be. Just as heart disease cannot be cured by the latest revolutionary cancer drugs, nor can the most innovative firewall guard against the threat of an insider hack.

A more sophisticated response is required. Especially as the dangers posed by cyber criminals are becoming increasingly complex and ever more lethal. Much has changed since two young British hackers, Richard Pryce and Mathew Bevan, breached U.S. military computer systems and the Korean Atomic Research Institute in the mid-1990s. Today's digital bandits transcend borders, are often state-sponsored and almost always remain anonymous.

Yet research conducted in 2016 by the Texas Municipal League found that fewer than 40 percent of cities outlined a cyber security policy and just 22 percent incorporate cyber incidents into their disaster recovery plan.

A wholly different, strategic approach to cyber security is needed. Without it, even the most expensive response cannot be anything more than a quick fix. What is required is a comprehensive, holistic cyber strategy, to truly tackle digital threats. Governments and institutions must first accurately assess their current cyber safety. Based on this critical knowledge, the correct tools, processes and procedures can be tailored to specific needs and integrated into everyday operations. The result is a resilient and sustainable cyber defense capacity. This is the only way for governments to prepare for tomorrow's cyber attacks, rather than forever responding to yesterday's threats.

Texas' leaders deserve credit for their awareness of the potent dangers posed by cyber warfare. The next step is to use it as a catalyst for building effective, robust protection. After all, diagnosing an illness is pointless without a cure. But the remedy must not be a Band-Aid. Instead, a strategy is required that deploys the right technological solutions in the right places to protect the state's vital interests. The alternative is a future at the mercy of hackers who crave disruption and destruction.

Meir is the chief strategy officer and co-founder of CyGov, a cybersecurity company. He is formerly the second in command of Israel's military intelligence.